OAIC Guide: Developing a Data Breach Response Plan

The Office of Australian Information Commissioner has developed a draft Guide to Developing a Data Breach Response Plan.   The Commissioner notes that the cost to an organisation for a data breach can be significant and implementing a data breach response plan can assist in mitigating these costs.

The data breach response plan should cover things like:

  • a strategy for assessing and containing data breaches – this includes the actions the response team should take in the event of a breach or suspected breach,
  • a clear explanation of what constitutes a data breach, so that staff are able to identify one should a breach occur,
  • the reporting line if staff do suspect a data breach, including who needs to be informed immediately,
  • who is responsible for determining which other external stakeholders should be contacted (for example, law enforcement agencies, regulators and the media),
  • recording data breaches – the organisation should consider how to record data breaches, including those that are not referred to the response team, and
  • a strategy to identify and address any weaknesses in data handling that contributed to the breach.

While the Guide is not legally binding, the Commissioner has indicated that the preparation and implementation of a data breach response plan will likely to satisfy an organisation’s obligation under the Australian Privacy Act to take reasonable steps to protect the personal information that the entity hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The closing date for comments is Friday 27 November 2015.

Link (OAIC): Guide to Developing a Data Breach Response Plan